Installation

It is highly recommended to use a time sync daemon to keep client/server clocks in sync.

If hostname resolution has not been configured, you can manually add your clients and server to the hosts(5) file of each machine. Note that the FQDN (myclient.example.com) must be the first hostname after the IP address in the hosts file.

Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: ***
Re-enter KDC database master key to verify: ***

Service principals and keytabs

First, ensure you've configured krb5.conf on all involved machines.

A kerberos principal has three components, formatted as `primary/instance@REALM`. For user principals, the primary is your username and the instance is omitted or is a role (eg. "admin"): `myuser@EXAMPLE.COM` or `myuser/admin@EXAMPLE.COM`. For hosts, the primary is "host" and the instance is the server FQDN: `host/myserver.example.com@EXAMPLE.COM`. For services, the primary is the service abbreviation and the instance is the FQDN: `nfs/myserver.example.com@EXAMPLE.COM`.
The realm can often be omitted, the local computer's default realm is usually assumed.

With remote kadmin

This is the easier method, but requires you to have configured kadmin.

Open kadmin as root (so we can write the keytab) on the client, authenticating with your admin principal:

client# kadmin -p myuser/admin

Authenticating as principal myuser/admin with password.
Password for myuser/admin@EXAMPLE.COM:
kadmin:

Add a principal for any services you will be using, eg. "host" for SSH authentication or "nfs" for NFS:

kadmin: addprinc -randkey host/kbclient.example.com

WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbclient.example.com@EXAMPLE.COM" created.

Finally, copy kbclient.keytab from the server to the client using SCP or similar, then put it in place with correct permissions:

# install -b -o root -g root -m 600 kbclient.keytab /etc/krb5.keytab

Finally, delete kbclient.keytab from the server and client.

SSH Authentication

Use the instructions in Service principals and keytabs to create a principal for the "host" service for both client and server, then put the client's keys in the client's keytab and the server's keys in the server's keytab.

NFS Security

First, configure your NFS server server. Also see NFS Troubleshooting.
Configuring a time sync daemon on both the clients and the server is strongly recommended. Clock drift will cause this to break, and the error message will not be helpful.

Use the instructions in Service principals and keytabs to create a principal for the "nfs" service for both client and server, then put the client's keys in the client's keytab and the server's keys in the server's keytab.

NFS Server

Add a Kerberos export option:

sec=krb5 uses kerberos for authentication only, and transmits the data unauthenticated and unencrypted.

sec=krb5i uses kerberos for authentication and integrity checking, but still transmits data unencrypted.

sec=krb5p uses kerberos for authentication and encryption.

/etc/exports

/srv/export *(rw,async,no_subtree_check,no_root_squash,sec=krb5p)

And reload the exports:

# exportfs -arv

NFS Client

Mount the exported directory:

# mount nfsserver:/srv/export /mnt/

You can add -vv for verbose information, and may need -t nfs4 and -o sec=krb5p or your chosen security option.